Tuesday 7 March 2017

This new version of oledump.py adds some extra features for YARA rule scanning.

oledump.py declares 2 external variables that can be used in your YARA rules.

External variable streamname is a string with the stream name, as printed in oledump’s report.

External variable VBA is a boolean that is set to true when the data to scan is VBA source code. Previous versions of oledump would scan the raw stream content with YARA, but this new version also decompresses all streams with VBA macros, and concatenates them together to scan them after all streams have been scanned.